Federal accessibility laws don’t matter — California’s accessibility laws do
Federal laws are a minimum standard that must be followed by every entity they apply to in every US state/territory. The Supreme Court stated in Geier v. American Honda Motor Co. that individual states are allowed to pass laws that will “establish greater safety than the minimum safety achieved by a federal regulation intended to provide a floor.” California has grabbed on to that “greater safety than the minimum” part of the Geier case with a pretty strong grip. Let’s look at how this “floor/safer” federal/state balance has worked in the non-tech world.
The federal EPA set guidelines for car gas mileage and air pollution
California didn’t think those were good enough, and Californians were largely willing to pay more to reverse the choking pollution that had saturated the area in the 70s
California passed stricter guidelines within the state
The current administration loosened the federal regulations and then threatened legal action to undermine California’s stricter requirements
California executed an end-run around this by making a private deal with auto manufacturers
Why is it California that matters? California:
is the largest state in the US
has a population larger than many countries
has the 5th largest GDP in the world (ranking just behind Germany and above the UK)
So why shouldn’t California have the right to define regulations that protect its citizens more strongly than the federal floors?
Because California is going down this road right now, woe be to the company outside of California that ignores California law and then tries to sell to California citizens. I have already written about the Unruh Act and recent California case law tying the Unruh Act (which comes with an automatic $4000 per violation fine) to digital accessibility. This article will focus on a law that is about to come into force: The California Consumers Privacy Act.
California Consumers Privacy Act
The CCPA (California Consumer Privacy Act) includes a specific requirement that privacy notices be accessible and have alternative format access clearly called out. This law is taking effect on Jan 1, 2020. Fines range from $2500 to $7500 per instance, so you don’t want to mess around. Because this is the “California Consumers” privacy act, it doesn’t just affect companies that are based in California, it affects companies doing business in California. Which is in effect, almost everyone in the US, unless you specifically block viewers with IP addresses known to be in California.
Who does the CCPA Apply to?
Unlike the Unruh Act which leverages ADA requirements, the CCPA has its own guidelines. It is mostly intended to apply to larger companies. Organizations that must comply with the CCPA include those that:
Have $25 million or more in annual revenue; or
Possess the personal data of more than 50,000 “consumers, households, or devices” or
Earn more than half of its annual revenue selling consumers’ personal data.
The California legislature also exempted a few types of companies. These are:
Health providers and insurers already under HIPAA
Banks and financial companies covered by Gramm-Leach-Bliley
Credit reporting agencies (Equifax, TransUnion, etc.) that come under the Fair Credit Reporting Act
CCPA Fine Print
999.308. Privacy Policy The privacy policy shall be designed and presented in a way that is easy to read and understandable to an average consumer. The notice shall: a. Use plain, straightforward language and avoid technical or legal jargon. b. Use a format that makes the policy readable, including on smaller screens, if applicable. c. Be available in the languages in which the business in its ordinary course provides contracts, disclaimers, sale announcements, and other information to consumers. d. Be accessible to consumers with disabilities. At a minimum, provide information on how a consumer with a disability may access the policy in an alternative format. e. Be available in an additional format that allows a consumer to print it out as a separate document.
Use plain straightforward language
There are many studies on the average reading grade level in the US. Most of these studies place the average between 6th and 8th grade. Basic contract legalese isn’t going to work here. If flowery, complex language is used, it is going to leave a lot of consumers not really understanding what they just agreed to. Read this article on how complicated language is discriminatory, and how to make it more accessible to all.
Make the policy readable
“Readable” in this part of the regulation pertains to actually being able to perceive the text, not understand it. To satisfy this part of the regulation:
Zoom/Magnification *must* work. Both built-in (pinch-to-zoom and <Ctrl-+> and external (Zoomtext) should work
HTML must be responsive (not explicitly stated, but the call out of “small screens” really strongly implies it)
Icons and other interactive components must be big enough to easily use
Icons and other interactive components must have enough contrast to be easily seen
Be accessible to consumers with disabilities
California case law has repeatedly identified WCAG 2.0 Level AA as the applicable standard in determining whether or not a website or mobile app is accessible. However, in specifically calling out “small screens” in 999.308(b) above, the CCPA has implicitly triggered three WCAG 2.1 standards (responsive, non-text contrast, and touch target size), and the touch target size guideline is a WCAG 2.1 AAA standard.
Nothing has been said in the CCPA about automatic screen reorientation when the privacy policy is buried in a native app. However, I suspect if someone with a wheelchair using a device in a fixed frame said they couldn’t access a privacy policy because it was in an app and didn’t automatically reorient, they would have a fairly good case for a CCPA violation.
Provide Alternate Formats
The types of alternate formats that can be requested include but probably aren’t limited to:
Audio
Braille
Captions. FYI, captions are a Level A WCAG guideline, so if you aren’t already doing this, you are likely out of compliance.
Descriptive audio. Another Level A WCAG guideline.
Large print
Electronic text
ASL interpretation for pre-recorded video soundtracks
Some of these alternate formats (Braille and Large Print, for example) have their own strict requirements in California in terms of how they are produced.
If you are searching for vendors when the request for an alternate format comes in, chances are you are NOT going to provide the information in the requested format in a commercially reasonable time frame. The time to start setting up these relationships, especially for larger companies, is now.
Enactment
The CCPA will go into effect on January 1, 2020. The California Attorney General, who generally enforces the CCPA, will adopt regulations on or before July 1, 2020. Enforcement actions will not be brought until 6 months after the publication of such regulations or July 1, 2020.
Conclusion
There are already several companies making CCPA-compliant privacy/cookie/consent software. If you don’t feel capable of creating your own, consider using one of theirs. Hint: Googling CCPA brings up a number of ads from these companies.
Don’t just address your privacy policy — make your entire website accessible.